Bug 240553

Summary: vsftpd has a create/lock race condition which corrupts uploads
Product: Red Hat Enterprise Linux 5 Reporter: Martin Poole <mpoole>
Component: vsftpdAssignee: Martin Nagy <mnagy>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: brockn, mbarabas, mnagy, tao
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2008-0295 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 14:16:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to handle write race condition on simultaneous upload
none
new patch to handle write race condition none

Description Martin Poole 2007-05-18 13:06:11 UTC 
+++ This bug was initially created as a clone of Bug #240550 +++

Description of problem:

There is a race condition in the open/lock code which is triggered when two
clients upload to the same file. The lock is only obtained after the file is
opened and in the case of the second client to causes the client to hang until
the first client completes. The problem is that both opens are performed with
O_TRUNC | O_APPEND which in the second client's case truncates the first
client's progress to that point. Once the first client completes and releases
the lock the second client then appends to whatever the first client uploaded
after the second client performed the open.  This results in a file which is
neither one thing nor the other.

Version-Release number of selected component (if applicable):

vsftpd-2.0.5-10.el5

How reproducible:

Always.

Steps to Reproduce:
1. Simultaneously upload different files from 2 clients to same file on server
2.
3.
  
Actual results:

Uploaded file is combination of tail of first client + second file.

Expected results:

One or the other file.

Additional info:

best reproduced by using large files or limiting upload rate.

-- Additional comment from mpoole on 2007-05-18 08:55 EST --
Created an attachment (id=154992)
patch to handle write race condition on simultaneous upload
Comment 1 Martin Poole 2007-05-18 13:06:12 UTC 
Created attachment 154994 [details]
patch to handle write race condition on simultaneous upload
Comment 4 Martin Nagy 2007-11-29 08:43:25 UTC 
Created attachment 272591 [details]
new patch to handle write race condition

This patch also respects read lock on the file that is being overwritten.
Comment 5 Michal Nowak 2007-11-30 09:21:15 UTC 
Use RHTS test case
       /CoreOS/vsftpd/regressions/testbug_para_upload
for testing.
Comment 6 RHEL Program Management 2007-12-03 20:42:53 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.
Comment 7 Martin Nagy 2007-12-04 12:32:10 UTC 
Fixed in fedora/rawhide (vsftpd-2.0.5-21.fc9).
Comment 8 Martin Nagy 2007-12-06 20:40:23 UTC 
Re-proposing for 5.2 since vsftpd was approved for 5.2.
Comment 9 RHEL Program Management 2007-12-06 20:45:53 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.
Comment 10 RHEL Program Management 2007-12-07 15:34:34 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 12 Martin Nagy 2007-12-12 08:23:05 UTC 
This will be fixed in vsftpd-2.0.5-10.el5
Comment 13 Martin Nagy 2007-12-12 10:09:03 UTC 
Correction:
This will be fixed in vsftpd-2.0.5-11.el5
Comment 17 Martin Nagy 2008-02-12 17:50:38 UTC 
*** Bug 432526 has been marked as a duplicate of this bug. ***
Comment 18 Brock Noland 2008-02-28 16:21:42 UTC 
I don't think your patch is fixing the actual problem. The actual problem is
that vsftp is opening the file incorrectly. It should not be using the O_TRUNC
and O_APPEND flags. See my fix in Bug 432526.

int
vsf_sysutil_create_overwrite_file(const char* p_filename)
{
  return open(p_filename, O_CREAT | O_TRUNC | O_WRONLY |
                          O_APPEND | O_NONBLOCK,
              tunable_file_open_mode);
}
Comment 19 errata-xmlrpc 2008-05-21 14:16:39 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0295.html
Comment 20 Issue Tracker 2008-05-22 00:44:59 UTC 
Closing based on latest errata. Please re-open if necessary.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.2'

This event sent from IssueTracker by balkov 
 issue 120992